CVE-2025-42891 in Enterprise Search for ABAP
Summary
by MITRE • 12/09/2025
Due to a missing authorization check in SAP Enterprise Search for ABAP, an attacker with high privileges may read and export the contents of database tables into an ABAP report. This could lead to a high impact on data confidentiality and a low impact on data integrity. There is no impact on application's availability.
VulDB is the best source for vulnerability data and more expert information about this specific topic.
Analysis
by VulDB Data Team • 12/09/2025
SAP Enterprise Search for ABAP contains a critical authorization vulnerability that allows attackers with high privileges to bypass access controls and extract sensitive database table contents into ABAP reports. This flaw represents a significant security weakness in the platform's access control mechanisms, where the system fails to properly validate user permissions before allowing data export operations. The vulnerability stems from insufficient authorization checks within the ABAP environment, creating an opportunity for privilege escalation and unauthorized data access.
The technical implementation of this vulnerability involves a missing authorization check that should normally validate whether a user has appropriate permissions to read and export database table contents. When an attacker with elevated privileges attempts to perform data export operations, the system should verify their authorization level against the target database objects. However, due to the missing authorization check, this validation process is bypassed, allowing unauthorized data extraction. This flaw specifically affects the ABAP reporting functionality and database access controls within the SAP Enterprise Search framework, creating a pathway for data exfiltration that could compromise sensitive corporate information.
The operational impact of this vulnerability is substantial, particularly concerning data confidentiality. An attacker with high privileges can access and export contents from database tables that should normally be restricted to authorized users only, potentially exposing sensitive business data, personal information, or proprietary corporate assets. The low impact on data integrity indicates that while data can be read and exported, there is no mechanism for modifying or corrupting the database contents through this specific vulnerability. The absence of availability impact suggests that the system's operational functionality remains unaffected, though the data exposure represents a significant risk to information security.
Organizations should implement immediate mitigations including comprehensive access control reviews, enhanced monitoring of database export operations, and validation of user privileges within the SAP environment. The vulnerability aligns with CWE-284 Access Control Issues, specifically related to insufficient authorization checks in application components. From an ATT&CK framework perspective, this vulnerability maps to techniques involving privilege escalation and data exfiltration, particularly T1078 Valid Accounts and T1567 Exfiltration Over Web Service. Security teams should also consider implementing network segmentation, mandatory access controls, and regular security assessments to prevent exploitation of this authorization bypass. Additionally, SAP recommends applying the latest security patches and updates as they become available to address this specific vulnerability in the Enterprise Search for ABAP component.